Page 1 of 1

multiple subjects on one role

PostPosted: Sun May 30, 2004 7:23 am
by Active2
I'm trying to do this:

ACL file:
role default
subject / {
/ h

-CAP_ALL

connect disabled
bind disabled
}

role admin sA
role_allow_ip 192.168.0.0/32
role_allow_ip 0.0.0.0/32
subject / {
/ rwcdmxi

+CAP_ALL
}

role root uG
role_transitions admin
subject / {
/ r
/home rwxcd
/dev
/dev/grsec h
/dev/urandom r
/dev/random r
/dev/zero r
/dev/null rw
/dev/ptmx rw
/dev/initctl rw
/dev/mem h
/dev/kmem h
/dev/port h
/bin rx
/sbin rx
/lib rx
/usr r
/usr/lib rx
/usr/bin rx
/usr/sbin rx
/etc rx
/proc rx
/proc/kcore h
/root r
/tmp rwcd
/var r
/var/tmp rwcd
/var/log r
/etc/grsec h
/etc/ssh h

-CAP_ALL

connect disabled
bind disabled
}

role matthijs u
role_allow_ip 192.168.0.0/32
subject / {
/ h
/bin h
/sbin h
/etc h
/etc/grsec h
/etc/passwd h
/etc/shadow h
/etc/ssh h
/etc/lilo.conf h
/home/users/matthijs rwxc
/usr/bin rx
/usr/sbin rx
/usr/share h
/usr/share/zoneinfo r
/usr/share/doc r
/var h
/var/run rw
/proc r
/proc/kcore h
/proc/sys h

-CAP_ALL

bind disabled
connect disabled
}

subject /bin/ls o {
/bin/ls x
/lib rx
/usr h
/usr/lib rx

-CAP_ALL

bind 0.0.0.0/32:0 dgram ip
connect 192.168.0.0/32:53 stream dgram tcp udp
connect 192.168.0.0/32:389 stream dgram tcp udp
}


When i now try to enable the acl system i get this:
server:/etc/grsec# gradm -E
Default object not found for role matthijs subject /bin/ls
The RBAC system will not load until you correct this error.


I can't figure out what i am doing wrong.

PostPosted: Sun May 30, 2004 9:28 am
by onyx
}

subject /bin/ls o {
/bin/ls x
/lib rx
/usr h
/usr/lib rx

-CAP_ALL


I think you should insert a line like

/ h

and it will work
It should look like this:

subject /bin/ls o {
/ h
/bin/ls x
/lib rx
/usr h
/usr/lib rx
-CAP_ALL

bind 0.0.0.0/32:0 dgram ip
connect 192.168.0.0/32:53 stream dgram tcp udp
connect 192.168.0.0/32:389 stream dgram tcp udp
}

bye, onyx

PostPosted: Sun May 30, 2004 3:22 pm
by Active2
Thanks for reply

It works :)

But now next problem

I think it's not doing inheritance:

When i've this piece of acl:
role matthijs u
role_allow_ip 0.0.0.0/32
subject / {
/ h
/bin rx
/sbin h
/dev h
/dev/tty0 rw
/dev/tty1 rw
/dev/tty2 rw
/dev/tty3 rw
/dev/tty4 rw
/dev/tty5 rw
/dev/tty6 rw
/etc r
/etc/grsec h
/etc/ssh h
/etc/lilo.conf h
/lib rx
/home h
/home/matthijs rwxcd
/proc r
/proc/kcore h
/proc/sys h
/usr/lib rx
/usr/share r
/usr/bin x
/usr/sbin h

-CAP_ALL

bind disabled
connect disabled
}

subject /bin/bash o {
/ h

-CAP_ALL

bind disabled
connect disabled
}

subject /bin/ps o {
/ h

-CAP_ALL

bind disabled
connect disabled
}


I get the following error:
matthijs@vmware:~$ ps
grsec: denied access to hidden file /bin/ps by /bin/bash[bash:17115] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:7548] uid/euid:1000/1000 gid/egid:1000/1000
grsec: denied access to hidden file /bin/ps by /bin/bash[bash:17115] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:7548] uid/euid:1000/1000 gid/egid:1000/1000
grsec: denied access to hidden file /bin/ps by /bin/bash[bash:17115] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:7548] uid/euid:1000/1000 gid/egid:1000/1000
grsec: denied access to hidden file /etc/locale.alias by /bin/bash[bash:17115] uid/euid:1000/1000 gid/egid:1000/1000, parent /bin/bash[bash:7548] uid/euid:1000/1000 gid/egid:1000/1000
-bash: /bin/ps: No such file or directory


Someone know why it doesn't take the /bin rx in the subject / for the subject /bin/ps ? Why doesn't it inherit ?

(Sorry for my bad english)

PostPosted: Sun May 30, 2004 5:03 pm
by onyx
Active2 wrote:Thanks for reply

subject /bin/ps o {
/ h

-CAP_ALL

bind disabled
connect disabled
}


This is happening, because the o flag is there for the /bin/ps subject, which means, that it should not use inheritence, but it should use the rights that are set in that subject. So you must set /bin rx in the /bin/ps subject as well, or you can remove the o flag from the subject, but i think, that it's not a very good idea. (It was like this in grsec 1.9.x, I think it is like this in grsec 2.0). Or, another method is to use learnig mode, to generate the rules for this subject (see documentation, and flag o is described there as well).

bye, onyx